This blog post comes from the “Cylance Ransomware Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.

Scope

The report analyzes the executable file of Cylance ransomware targeting Linux systems, but there is also a version targeting Windows operating systems. 

Penetratin Into System

Attackers looking to infiltrate servers and IoT platforms using ELF malware cannot rely on end-user interaction or phishing emails to install malware on their behalf, a widely expected behavior on Windows systems. This is because Linux environments are used in server and/or IoT devices with little end-user interaction, and attackers target these environments. 

Below, we have outlined how ELF malware can potentially infect systems.

• Exploiting the Vulnerabilities

Attackers will target vulnerable and unpatched publicly available services or application components to gain access to systems. In addition to vulnerabilities, misconfigurations implemented on the services can also provide an entry point for attackers using ELF malware.

Conclusion

The lack of a data leak site or support page, as with popular ransomware, suggests that the ransomware analyzed is still in its early stages, but given the increase in ransomware attacks targeting both Windows and Linux systems, it is thought that threat actors are trying to catch up with the trend.

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “Mystic Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.